General ACL operating notes
- ACLs do not affect serial port access.
ACLs do not apply to the switch’s serial port.
- ACL screening of IPv4 traffic generated by the switch.
ACLs applied on the switch screen IP traffic when other devices generate it. Similarly, ACL applications can screen responses from other devices to unscreened IP traffic the switch generates.
- ACL logging.
The ACL logging feature generates a message only when packets are explicitly denied or permitted as the result of a match, and not when implicitly denied. To help test ACL logging, configure the last entry in an ACL as an explicit
deny
orpermit
statement with alog
statement included, and apply the ACL to an appropriate VLAN.A detailed event will be logged for the first packet that matches a “deny” or “permit” ACL logged entry with the appropriate action specified.
Subsequent packets matching ACL logged entries will generate a new event that summarizes the number of packets that matched each specific entry (with the time period).
Logging enables you to selectively test specific devices or groups. However, excessive logging can affect switch performance. For this reason, Hewlett Packard Enterprise recommends that you remove the logging option from ACEs for which you do not have a present need. Also, avoid configuring logging where it does not serve an immediate purpose. (Note that ACL logging is not designed to function as an accounting method.) See also “Apparent Failure To Log All ‘Deny’ or ‘Permit’ Matches” in the section titled “ACL Problems”, found in the “Troubleshooting” section of the Management and Configuration Guide for your switch.
When configuring logging, you can reduce excessive resource use by configuring the appropriate ACEs to match with specific hosts instead of entire subnets.
- Minimum number of ACEs in an ACL.
Any ACL must include at least one ACE to enable IP traffic screening. A numbered ACL cannot be created without at least one ACE. A named ACL can be created “empty”; that is, without any ACEs. However in an empty ACL applied to an interface, the Implicit Deny function does not operate, and the ACL has no effect on traffic.
- Monitoring shared resources.
Applied ACLs share internal switch resources with several other features. The switch provides ample resources for all features. However, if the internal resources become fully subscribed, additional ACLs cannot be applied until the necessary resources are released from other applications. For information on determining current resource availability and usage, see “Monitoring Resources” in the management and configuration guide for your switch.
- Replacing or adding to an active ACL policy.
If you assign an ACL to an interface and subsequently add or replace ACEs in that ACL, each new ACE becomes active when you enter it. If the ACL is configured on multiple interfaces when the change occurs, then the switch resources must accommodate all applications of the ACL. If there are insufficient resources to accommodate one of several ACL applications affected by the change, then the change is not applied to any of the interfaces and the previous version of the ACL remains in effect.